Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

What is the best way to compare search results to multiple lookup tables and identify which ones return hits?

0

Here's what I'm trying to do: I have multiple lists of bad IPs, each from a different source, each set up as a lookup. Two are automatically updated and one is manually updated. The lists are stored in files called badip1.csv, badip2.csv and badip3.csv. I have a dashboard that shows if any of the IPs were found, but I'm not sure if this is the most efficient method.

People who like this

4 Answers

So it turns out I needed to combine the answers of @martin_mueller and @musskopf for this to work. Using OR caused the search to run VERY slow. And piping the result of each search into a lookup got the info I wanted.

Say you have multiple sources from which you collect malicious domains or IPs. When you create your lookup tables, for each malicious domain/ip that you enter, put the source from where you go it. This way, when you get a hit against a bad domain or bad IP, you can refer back to the source to get more information about why that domain/ip was bad and figure out what other actions you should take.

We noticed that we were getting hits against an IP or domain labeled as BAD but no idea WHY because the reason it was put as an alert was lost. By being able to refer to the source, we could now find out if the IP or domain was bad because it's part of a botnet or spearphish or whatever and take specific actions.